diff options
author | Emilien Macchi <emilien@redhat.com> | 2016-10-06 11:18:14 -0400 |
---|---|---|
committer | Emilien Macchi <emilien@redhat.com> | 2016-10-06 12:07:35 -0400 |
commit | 7322d60610764f728ce58d4e8a39a6c54c652643 (patch) | |
tree | 0d58f2bc7b8b4e9328806c1d8ff6217b64ef409d /puppet/services | |
parent | ddd4d3cd9f5012b505c1ed2c4ee6a62dde37dbaf (diff) |
Enable firewalling by default on compute nodes
- Move VXLAN and VRRP rules from Neutron Server to the right services.
- Enable Firewall by default on Compute nodes.
Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1
Diffstat (limited to 'puppet/services')
-rw-r--r-- | puppet/services/keepalived.yaml | 3 | ||||
-rw-r--r-- | puppet/services/neutron-api.yaml | 5 | ||||
-rw-r--r-- | puppet/services/neutron-l3.yaml | 3 | ||||
-rw-r--r-- | puppet/services/neutron-ovs-agent.yaml | 6 |
4 files changed, 12 insertions, 5 deletions
diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml index 2b069d67..38cfbe22 100644 --- a/puppet/services/keepalived.yaml +++ b/puppet/services/keepalived.yaml @@ -41,5 +41,8 @@ outputs: config_settings: tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} + tripleo.keepalived.firewall_rules: + '106 keepalived vrrp': + proto: vrrp step_config: | include ::tripleo::profile::base::keepalived diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index af77dc05..c2b6b6f7 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -150,11 +150,6 @@ outputs: dport: - 9696 - 13696 - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '106 vrrp': - proto: vrrp neutron::server::router_distributed: {get_param: NeutronEnableDVR} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index 9e223374..a89e3d75 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -67,5 +67,8 @@ outputs: - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge} neutron::agents::l3::router_delete_namespaces: True neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode} + tripleo.neutron_l3.firewall_rules: + '106 neutron_l3 vrrp': + proto: vrrp step_config: | include tripleo::profile::base::neutron::l3 diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index cbe65638..cca0deee 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -117,5 +117,11 @@ outputs: # internal_api_subnet - > IP/CIDR neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver} + tripleo.neutron_ovs_agent.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' step_config: | include ::tripleo::profile::base::neutron::ovs |